Navigant Research Blog

Highly detailed and accurate mapping data will be critical to the technical success of future autonomous vehicles. However, in order for consumers and regulators to accept vehicles that pilot themselves to a desired destination, they will need to have a great deal of trust in the technology. That trust is currently in serious danger of being eroded by an ongoing series of computer network attacks, including one demonstrated recently on Wired.com. The need to bolster automotive cybersecurity is one of the factors driving Mercedes-Benz, Audi, and BMW to jointly acquire Nokia’s Here mapping division.

Nokia was an early leader in the field of bringing high quality maps to mobile devices with its 2007 acquisition of Navteq, but the world of mobile cartography has shifted dramatically since then. With mapping apps from Google and Apple joining incumbents such as TomTom and Garmin, along with the rapid development of autonomous driving capabilities, the expectations for map data has increased exponentially. Cartographic data needs to be kept continuously updated through fleets of camera and sensor-equipped vehicles, in addition to crowd sourcing for real-time information. Unlike traditional automotive navigation systems that might get updated annually at best, this fresh data will need to be pushed to automated vehicles as soon as it’s ready.

The big three German premium brands are all expected to be on the leading edge of introducing level 2 automation capabilities and are likely to ramp up automation as soon as technology and the market allows. Navigant Research’s Autonomous Vehicles report projects that nearly 50 million vehicles with some form of autonomous capability will be sold globally by 2030. One of the key drivers for the move to automation is the desire to reduce accidents to near zero by taking humans out of the driving control loop.

Gaining Trust

Before that can happen, everyone will need a much higher degree of confidence in the security the software and electronic systems, something that is getting more difficult by the day. For several years now, computer security researchers have been demonstrating increasingly sophisticated cyber attacks against vehicles, with the most recent coming from Charlie Miller and Chris Valasek. Miller and Valasek were able to remotely take control of a 2014 Jeep Cherokee through its telematics system, manipulate the audio system, wipers, steering, and even shut down the engine as it was driven by Wired reporter Andy Greenberg. These attacks are not trivial and are not yet widespread, but as we’ve seen from recent attacks against the U.S. Office of Personnel Management and retailers such as Target and Home Depot, the more attackers learn about the systems, the more attack vectors they find.

Automakers are hiring some of these same security researchers and creating teams solely focused on securing their in-vehicle networks. When automakers outsource control systems or data such as maps to suppliers, they often get only a black box that they can hook into without access to source code. Recognizing that they will be increasingly liable for the performance of advanced systems, they are now bringing some of the work back in-house where they can control it. Daimler AG CEO Dieter Zetsche recently acknowledged that security concerns were one of the reasons his company was partnering with its chief rivals to purchase Here maps. Similar concerns have prevented numerous automakers that have been approached by Google from adopting its autonomous driving software and developing their own code instead. Unless Google is willing to give up control of its software to automakers, it may only get adopted by lower tier companies without the resources to develop their own autonomous systems.

Executive Order 13636 requires, among other things, the National Institute of Standards and Technology (NIST) to develop a “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.” There is a lot of good detail as to what is expected to be in this framework, whose requirements run to a full page. Recently, NIST hosted its first Cybersecurity Framework Workshop to address those necessities. This particular workshop resulted from the following specific requirement: “In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process.” The director of NIST must deliver a framework within 1 year of the publication of the Executive Order (EO); that is, no later than February 19, 2014.

I’m not sure what a framework workshop is, or how many times the word “work” must appear in a meeting title before people will believe that you plan to accomplish something. At any rate, over 700 people attended the workshop ‑ quite large to qualify as a workshop. Living in the Dallas–Fort Worth area, I remember years when the Texas Rangers could barely get 700 people to attend their baseball games (unless Nolan Ryan was pitching). Besides, here in Texas, anything with 700 members is usually called a herd.

Engaged, Considered

Whatever you call it, this event was important. Strictly speaking, the 700 workshop attendees were allowed to comment, but the EO only requires the Secretary of Homeland Security to “engage and consider” their advice. Based upon past experience, the likelihood of their input being ignored is very low.

A prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk

Methodologies to identify and mitigate impacts of the Cybersecurity Framework … on business confidentiality, and to protect individual privacy and civil liberties

After that, quoting Section 8(a) of the EO, “The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.”

In other words, 1 year to develop a framework of non-binding recommendations for the protection of critical infrastructure. Here in the smart grid world, we already have that. It’s called the NISTIR 7628 series. So maybe it’s a very good call to have NIST run this play. But you’d have to accept that critical infrastructure owners will spend money on protection that they are not required to spend. To date, that trend is not encouraging.